• Angelique Medina, Senior product marketing manager at ThousandEyes


• 24.10.2018 09:30 am
undisclosed

The Domain Name System (DNS) is one of the cornerstones of the Internet today. It is, in effect, the “phone book of the Internet.” 

However, despite its critical role, it’s also the least appreciated aspect of delivering an online banking user experience, and the most overlooked chink in a bank’s IT armour.  

Its importance can’t be understated. It’s actually the first step in how we connect to online brands, such as banks because it’s the Internet infrastructure that translates human-readable domain names to routable Internet protocol (IP) addresses. This means that without DNS, there is no digital banking experience.

DNS services are assigned by an Internet service provider (ISP), meaning they may not always be the best choice available to a bank. Slower DNS servers can actually create lag before websites start to load. In worst case scenarios, the Internet can’t function because, if the DNS record of a website is unavailable, then the service is unreachable to users. Also, critically, ISPs may lack sufficient encryption mechanisms, leaving DNS query traffic vulnerable to attack. 

Two Years On From Dyn

Many reputable third parties, including Google, offer DNS services and these third parties really matter because, just two years ago, many financial organisations were effectively taken off the Internet for multiple hours by a distributed denial of service (DDoS) attack because they all relied on a single DNS provider – Dyn, in their case. This DDoS attack saw a network of computers infected with special malware, known as a “botnet”, which coordinated into bombarding the provider with Internet traffic until it collapsed under the strain and meant that large swathes of users in Europe and North America couldn’t access major financial platforms and services.

Can it happen again?

According to the 2018 ThousandEyes Global DNS Performance Report, 50% of financial companies (including banks) on the Financial Times Stock Exchange (FTSE) 100 are still at risk. Two years after the Dyn DDoS attack, you’d think financial companies and banks would have learned their lesson, but apparently not so.

As shown by this research, many of the biggest financial companies on the planet, who also happen to be some of the digitally mature organisations in the world – as well as 44% of the top 25 software as a service (SaaS) providers – don’t have a fallback DNS server option. That means that a single outage or DDoS attack could completely take their businesses off the Internet.

The need for awareness of DNS has grown as more financial organisations than ever rely on digital experiences in their revenue generation. According to Gartner, CIOs report that 37% of their revenues will have a digital footprint by 2020. Meanwhile, specifically in banking, 59% of financial decision-makers expect the importance of branch banking to diminish significantly as customers migrate to digital channels, according to consultancy firm PwC.

If DNS is the first step in every digital banking and financial experience, then not getting that step right can be incredibly costly.

Yet despite this critical situation, too many are just using a single DNS service. If that DNS “power” gets cut, it doesn’t matter how much you spend on your content delivery network (CDN) or your regional cloud hosting, your financial brand will be offline and you’ll be scrambling.

DNS is still a bit of a “dark art” that many within the financial services and banking industry pay little attention to, not understanding that its performance and security can significantly impact the digital experience for end users.

In many cases, it’s simply a lack of awareness of best practice. Banks and financial services companies often think that they’re resilient because they have more that one nameserver, when in fact they are not.

What must be understood about the DNS is that financial firms can take control of this part of the IT infrastructure. Third parties who offer DNS services, often have superior speed and security.  True DNS resilience means that your authoritative DNS records are served from diverse networks, facilities and routed prefixes. It’s certainly possible to do this on your own. Not only this, it’s typically easier (and less costly) to outsource your authoritative DNS to one or more third-party service.